macOS Seatbelt Sandbox Profiling

Generate minimally-permissioned allowlist-based Seatbelt sandbox configurations for applications.

When to Use

• User asks to "sandbox", "isolate", or "restrict" an application on macOS
• Sandboxing any macOS process that needs restricted file/network access
• Creating defense-in-depth isolation if supply chain attacks are a concern

When NOT to Use

• Linux containers (use seccomp-bpf, AppArmor, or namespaces instead)
• Windows applications
• Applications that legitimately need broad system access
• Quick one-off scripts where sandboxing overhead isn't justified

Profiling Methodology